MariaDB/MySQL Security Essentials: Disable System Commands

Jul 14, 2013
• Ruy Rocha

The recent Cpanel/WHM Restore Account Root Exploit has brought my attention to system commands execution, so let me ask you: do you know that you cannot prevent this behavior? Seriously, there are no documented option to do it and disable system commands execution in standard MySQL client. Well, at least you couldn’t do it until now.

Referred exploit does exist because MySQL grants were restored as root, meaning that you could execute local commands as root (REALLY DANGEROUS), e.g:

Get latest MariaDB 5.5 source and patch client/mysql.cc. You’d be able to use mysql client even if you’re using Oracle’s MySQL Community Server. Please note that only MariaDB mysql client is patched right now.

If you’re using Cpanel/WHM, you’re welcome to put MariaDB in any other directory like /opt/mariadb, compile and patch it – do not replace your MySQL installation unless you have a good reason.. Then modify Cpanel::DbUtils module to use new mysql client version editing /usr/local/cpanel/Cpanel/DbUtils.pm and changing from this